At 12:51 AM 26-06-2001 -0400, Jim Mercer wrote:
>my mods are server-side only.
>
>to rewind a bit.
>
>my mods correct this by doing:
>
>with an AUTH_ARGUMENT == "pg_shadow", the process is:
>tmp_pwd = crypt(client->passwd, pg_shadow->passwd)
>if strcmp(tmp_pwd, pg_shadow->passwd) == 0
> access allowed
>else
> access not allowed
>
>this is not so much an enhancement, but a correction of what i think the
>original "password" authentication scheme was supposed to allow.
>
Yep it's a correction. pg_shadow shouldn't have been in plaintext in the
first place.
host all 127.0.0.1 255.255.255.255 password
should have meant check crypted passwords in pg_shadow.
Given your suggestion, what happens when someone does an ALTER USER ...
WITH PASSWORD ....?
Might it be too late to do a fix?
HMAC sounds interesting. What would the impact be on stuff like Pg DBD?
Cheerio,
Link.